Constraint template library

Constraint templates allow you to define how a constraint works but delegate defining the specifics of the constraint to an individual or group with subject matter expertise. In addition to separating concerns, this also separates the logic of the constraint from its definition.

The following constraint templates are included with Anthos Policy Controller. You can also browse the library of constraint templates in the Gatekeeper repository.

anthos-service-mesh

Name Description Parameters
allowedserviceportname Requires that service port names have a prefix from a specified list.
NameType
prefixesarray
destinationruletlsenabled Requires that all hosts and host subsets in Istio DestinationRules not have TLS disabled.
disallowedauthzprefix Requires that principals and namespaces in Istio AuthorizationPolicy rules not have a prefix from a specified list.
NameType
disallowedprefixesarray
policystrictonly Requires that Istio authentication Policy specify peers with STRICT mutual TLS.
sourcenotallauthz Requires that Istio AuthorizationPolicy rules have source principals set to something other than "*".

etc

Name Description Parameters
k8sblockprocessnamespacesharing Prohibits pod specs with shareProcessNamespace set to true. This avoids scenarios where all containers in a pod share a PID namespace and can access each other's filesystem and memory.
k8sdisallowedrolebindingsubjects Prohibits RoleBindings or ClusterRoleBindings with subjects matching any disallowedSubjects passed as parameters.
NameType
disallowedSubjectsarray
k8semptydirhassizelimit Requires that any emptyDir volumes specify a sizeLimit; optionally, a maxSizeLimit parameter may be supplied in the constraint to specify a maximum allowable size limit.
NameType
maxSizeLimitstring
k8slocalstoragerequiresafetoevict Requires pods using local storage (emptyDir or hostPath) to have the annotation "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Cluster Autoscaler will not delete pods without this annotation.
k8smemoryrequestequalslimit Promotes pod stability by requiring that all containers' requested memory exactly equals the memory limit, so that pods are never in a state where memory usage exceeds the requested amount. Kubernetes may terminate pods in that state when memory is needed.
k8snoexternalservices Prohibits the creation of Gateway, Ingress, and Service resources that expose workloads to external IPs.
  • Gateway: All resources of group networking.istio.io are prohibited.
  • Ingress: All resources of group extensions or networking.k8s.io are prohibited.
  • Service: All LoadBalancer type resources must have Internal annotation; any externalIPs must belong to the CIDRs specified by the internalCIDRs parameter.
NameType
internalCIDRsarray

pod-security-policy

Name Description Parameters
k8spspallowedusers Controls the user and group IDs of the container.
NameType
runAsUserobject
k8spspallowprivilegeescalationcontainer Controls restricting escalation to root privileges.
k8spspapparmor Controls the AppArmor profile used by containers.
NameType
allowedProfilesarray
k8spspcapabilities Controls Linux capabilities.
NameType
allowedCapabilitiesarray
requiredDropCapabilitiesarray
k8spspflexvolumes Controls allow list of Flexvolume drivers.
NameType
allowedFlexVolumesarray
k8spspforbiddensysctls Controls the sysctl profile used by containers.
NameType
forbiddenSysctlsarray
k8spspfsgroup Controls allocating an FSGroup that owns the pod's volumes.
NameType
rulestring
rangesarray
k8spsphostfilesystem Controls usage of the host filesystem.
NameType
allowedHostPathsarray
k8spsphostnamespace Controls usage of host namespaces.
k8spsphostnetworkingports Controls usage of host networking and ports.
NameType
maxinteger
hostNetworkboolean
mininteger
k8spspprivilegedcontainer Controls running of privileged containers.
k8spspprocmount Controls the Allowed Proc Mount types for the container.
NameType
procMountstring
k8spspreadonlyrootfilesystem Requires the use of a read only root file system.
k8spspseccomp Controls the seccomp profile used by containers.
NameType
allowedProfilesarray
k8spspselinux Controls the SELinux context of the container.
NameType
allowedSELinuxOptionsobject
k8spspvolumetypes Controls usage of volume types.
NameType
volumesarray

What's next?